Enjoy this special edition of Word Notes: A cloud-based software distribution method where app infrastructure, performance, and security are maintained by a service provider and accessible to users, typically via subscription, from any device connected to the internet.

Welcome in! You’ve entered, Only Malware in the Building. Join us each month to sip tea and solve mysteries about today’s most interesting threats. Your host is Selena Larson, Proofpoint intelligence analyst and host of their podcast DISCARDED. Inspired by the residents of a building in New York’s exclusive upper west side, Selena is joined by N2K Networks Dave Bittner and Rick Howard to uncover the stories behind notable cyberattacks.  Being a security researcher is a bit like being a detective: you gather clues, analyze the evidence, and consult the experts to solve the cyber puzzle. On this episode, we talk about the abuse of legitimate services for malware delivery. Proofpoint has seen an increase in the abuse of tools like ScreenConnect and NetSupport, as well as Cloudflare Tunnel abuse and the use of IP filtering. They have also observed a rise in financially motivated malware delivery using TryCloudflare Tunnel abuse, focusing on remote access trojans (RATs) like Xworm and AsyncRAT. Today we look at how Cloudflare tunnels are used to evade detection and how they have evolved their tactics by incorporating obfuscation techniques, with ongoing research to identify the threat actors involved.

Please enjoy this special encore episode of Word Notes. A type of side channel attack in which an attacker with physical access to a computer performs a memory dump of a computer’s Random Access Memory or RAM during the reboot process in order to steal sensitive data. 

A cyber information-sharing U.S. Government organization designed to foster the public-private partnership. CyberWire Glossary link: https://thecyberwire.com/glossary/joint-cyber-defense-collaborative Audio reference link: Jen Easterly. 2021. CISA Director Addresses the National Technology Security Coalition [Video]. YouTube. URL https://www.youtube.com/watch?v=ucb1FQXqsao

This week our guest is, Sam Crowther, Kasada CEO, he's sharing his team's findings on "Stolen Auto Accounts: The $2 Price Tag on Your Car’s Identity." Joe and Dave share some listener follow up from Steve who writes in sharing an email he thought to be a scam, but turned out it was real. Listener Derek writes in with a question regarding AI and phishing emails. Joe's story comes from Proofpoint as they share their 2023 State of the Phish report. Dave's story follows an email that was sent out saying that the receiver has had a sexually explicit video leaked to an adults-only website, and to remove the video in question from the site, the receiver can send $200. Our catch of the day comes from listener Tony who writes in to share an email he and his school received claiming that the person who sent the email found pornographic material on the schools website. Links to follow-up and stories: 2023 State of the Phish Yikes! My sex video has been uploaded to YouPorn, apparently Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

The process of evaluating the security of a system or network by simulating an attack on it. Sometimes called "ethical hacking" or white hat hacking. The phrase started to appear in U.S. military circles in the mid 1960s as time sharing computers became more necessary for daily operations. Computer security experts from Rand Corporation began describing computer compromises as “penetrations.” By the early 1970s, government leaders formed tiger teams of penetration testers to probe for weaknesses in various government systems.

Thanks for joining us again for another episode of fun project brought to you by the team of Hacking Humans, the CyberWire's social engineering podcast. Hacking Humans co-host Dave Bittner is joined by Rick Howard in this series where they view clips from their favorite movies and television shows with examples of the social engineering scams and schemes you hear Dave and co-host Joe Carrigan talk about on Hacking Humans. In this episode, Dave and Rick watch each of the selected scenes, describe the on-screen action for you, and then they deconstruct what they saw. Grab your bowl of popcorn and join us for some fantastic scams and frauds. Links to this episode's clips if you'd like to watch along: Dave's clip from the movie: Matchstick Men Rick's clip from the movie: Mr. Robot

This week our guest is, John Hammond from Huntress and he sits down to talk about spoofing and evasion techniques used by hackers. Dave and Joe share a bit of follow up, including a question form listener John who writes in asking about a passkey discussion in the last episode. Joe has a story from Reddit this week, where someone posted about a dispute they are having with their wedding caterer, where the company is saying the couple still owes them over $5,000 after the wedding has happened for umbrellas, the person posting wants to know what they should do about this argument. Dave's story is from Retool, where they are warning customers after an employee of theirs fell victim to a phishing scheme through SMS. Our catch of the day comes from the University of Alabama department of engineering, where the receiver of a suspicious looking email is being "sued" after owing $300 and not paying it back. Links to follow-up and stories: Accelerating the Availability of Simpler, Stronger Passwordless Sign-Ins When MFA isn't actually MFA Wedding caterer charging us $5,000 post-wedding for their accountant’s error Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

Tools that automate the identification and remediation of cloud misconfigurations.  CyberWire Glossary link: https://thecyberwire.com/glossary/cloud-security-posture-management Audio reference link: Josh Whedon. 2005. Serenity [Movie]. IMDb. URL https://www.imdb.com/title/tt0379786/

Andrew Hendel, CEO at Marshmallo, joins to share tips to safeguard your feelings and identity in the online dating world. Dave and Joe share some listener follow up from Gareth, who writes in to discuss strange emails he has been receiving. Dave's story follows a woman who was spared jail time after being manipulated by hackers into money laundering. Joe's story is from listener Doug who wrote in to the show to talk about the site he is in charge of and discusses a website he uses called "Buy me a coffee," where his viewers can buy him a coffee, and how he has been experiencing some weird instances with the payment methods of that website. Our catch of the day comes from listener Brandyon who shares an interesting way he was offered to make $600 a week. Links to follow-up and stories: Woman 'manipulated' by hackers into money laundering Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

An electro-mechanical device used to break Enigma-enciphered messages about enemy military operations during the Second World War. The first bombe–named Victory and designed by Alan Turning and Gordon Welchman– started code-breaking at Bletchley Park on 14 March 1940, a year after WWII began. By the end of the war, five years later, almost 2000, mostly women, sailors and airmen operated 211 bombe machines in the effort. The allies essentially knew what the German forces were going to do before the German commanders in the field knew. Historians speculate that the effort at Bletchley Park shortened the war by years and estimate the number of lives saved to be between 14 and 21 million.

Guest Chris Sherwood, owner of Crosstalk Solutions, joins Dave to talk about passkeys. Joe shares some listener follow-up about "revert" and side-loading applications on Android phones. Joe's story came from a listener named Kyle who sent this as a Catch of the Day (COTD) about a phishing scam email conversation about event sponsorship. Dave discusses something he saw on Mastodon from user Bjorn about some fraudulent bank charges and stopping a scam in process. Our COTD is from listener Alec about a potential dating scam offering over Instagram. Links to follow-up and stories: Follow-up on side-loading applications (Note, we do not recommend you install any of these applications.) Mastodon thread about social engineering involving fraudulent banking charges. Chris Sherwood's passkey explainer video on YouTube Passkeys directory website Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

A session and user authentication Zero Trust tactic that allows a user to access multiple applications with one set of login credentials. CyberWire Glossary link: https://thecyberwire.com/glossary/single-sign-on Audio reference link: English, J., 2020. What is Single Sign-On (SSO)? SSO Benefits and Risks [Video]. YouTube. URL https://www.youtube.com/watch?v=YvHmP2WyBVY

This week we celebrate 300 episodes! Maria Varmazis host of the N2K daily space show, T-Minus, joins Dave and Joe and shares a PSA on the CrowdStrike outage. Her story focuses on the Olympics, as this was the first week the Olympics started, and she shares about a recent fraud campaign that is targeting iPhone users in India, posing as India Post through smishing attacks. Our hosts discuss some follow up, from listener Brie, who writes in to share how one police force is helping folks stay safe from scam callers. They also share a story from listener Mark, who writes in about his 77-year-old mom's Facebook account being hacked, and she was tricked into downloading an app and opening her banking app while on a fake customer service call. Dave's story is on Gina Russell, who posed as a psychic and led an elaborate extortion scheme with her family, coercing victims into giving them millions of dollars under threats of harm. Joe has the story of social media giant Meta saying sextortion scams are increasing, with criminals from Nigeria often targeting adult men in the U.S.. Our catch of the day comes from an anonymous listener, who shared a post they found on the social media platform "Shared," about a scammer getting messed with. Please take a moment to fill out an audience survey! Let us know how we are doing! Links to the stories: Phishing Campaign Targeting Mobile Users in India Using India Post Lures Sextortion scams run by Nigerian criminals are targeting American men, Meta says ‘Psychic’ and family of extortionists scam Md. man out of $4.2 million You can hear more from the T-Minus space daily show here. Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com.

Oren Koren, CPO and Co-Founder of Veriti, is discussing the need for vigilance and caution when navigating the online shopping landscape. Dave and Joe share quite a bit of listener follow up, one listener writes in for some clarification on the "AI versus AI" episode regarding Google giving their source code so they can do business in China, when in fact it was 2 other companies. Listener Miguel brings our next bit of follow up, he writes in to discuss financial crimes and shares a story based on a story shared on the show. Our last piece of follow up is from listener Will, who shares a way to expand your website links the best way that works for him. Dave's got the story on an Amazon ad in Google search that looks so real, it's been scamming people redirecting visitors to a Microsoft Defender tech support scam that locks up their browser, the one that Dave had to help his father with a couple weeks back. Joe's story follows a Cambridge shed builder who thought he was getting an award, when in fact all he got was a scam. Our catch of the day comes from the European union agency for cybersecurity that received a suspicious looking email from Ebay. Links to stories: Sneaky Amazon Google ad leads to Microsoft support scam Cambridge shed builder thought he was getting an award, but it was a vanity scam Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

From the intrusion kill chain model, a malicious code delivery technique that allows hackers to send code of their choosing to their victim’s browser. XSS takes advantage of the fact that roughly 90% of web developers use the JavaScript scripting language to create dynamic content on their websites. Through various methods, hackers store their own malicious javascript code on unprotected websites. When the victim browses the site, the web server delivers that malicious code to the victim’s computer and the victim’s browser runs the code.

Selena Larson and Tim Utzig discussing research titled "Twitter Scammers Stole $1,000 From My Friend—So I Hunted Them Down." Joe and Dave share a bit of follow up this week, they discuss Hawaii fire scams, and listener Steve writes in regarding some comments about the recent scammer quiz Joe and Dave took, lastly listener John writes in and shares his thoughts on a discussion a couple weeks ago regarding Google Maps. Joe has two stories this week, one is regarding how Joe was close to being scammed by a fake website, the second story is from listener George who wrote in this week sharing about the Bank of Ireland and the latest banking scam causing a technical issue tricking people into thinking they had money, when they really didn't. Dave's story is from the FBI, on a new scam where people are being tricked through mobile beta-testing applications. Our catch of the day comes from listener Richard, who writes in with "a new tip on Crypto." Links to stories: Bank of Ireland glitch let customers withdraw money they didn’t have Cyber Criminals Targeting Victims through Mobile Beta-Testing Applications Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

From the intrusion kill chain model, the first part of an exploitation technique where the hacker tricks their victims into revealing their login credentials. In the second part of the technique, hackers legitimately log into the targeted system and gain access to the underlying network with the same permissions as the victim. Hackers use this method 80% of the time compared to other ways to gain access to a system like developing zero day exploits for known software packages. The most common way hackers steal credentials is with some version of a phishing attack.

Blair Cohen from AuthenticID joins Dave to discuss how generative AI and authentication go hand in hand. Joe and Dave share some follow up from listener Robert who discusses an ad for a device that uses ChatGPT to record phone calls on your device. Dave helps his dad out with his computer and shares the tale. Dave also shares a story this week on the FBI warning against scammers who are posing as NFT devs to try and steal your crypto. Joe and Dave test their scammer catching skills while taking a test to see if they are smarter than the average scammer. Our catch of the day comes from listener Steve who writes in to share a receipt he received that looked quite suspicious. Links to stories: FBI warns of scammers posing as NFT devs to steal your crypto Are you smarter than a scammer? Play this game. Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

An authentication process that requires two different factors before granting access. CyberWire Glossary link: https://thecyberwire.com/glossary/two-factor-authentication

Dave Baggett from INKY joins Dave to dive into the latest phishing trends and discuss a broader view of how AI is being used by both the good guys and the bad guys. Joe's story this week dives into the APT with an entirely too cool name, Midnight Blizzard, that has been conducting targeted social engineering towards the popular Microsoft Teams. Dave's story this week follows a Facebook Market user who dodged one scam, just to fall right back into another one. Our catch of the day comes from listener Mauricio who writes in an shares a funny voicemail regarding a "potential W-2 refund." Links to stories: Midnight Blizzard conducts targeted social engineering over Microsoft Teams Seller dodges Facebook Marketplace scam only to fall into another trap Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

From the intrusion kill chain model, the delivery of a “lure” to a potential victim by pretending to be some trustworthy person or organization in order to trick the victim into revealing sensitive information. According to Knowbe4, the word “phishing” first appeared in a Usenet newsgroup called AOHell in 1996 and some of the very first phishing attacks used AOL Instant Messenger to deliver fake messages purportedly from AOL employees in the early 2000s. The word is part of l33tspeak that started in the early days of the internet (1980s) as a shorthand to let readers know the author was part of the hacker community. In this case, the letters “ph” replace the letter “f” in the word fishing, as in “I fish, with an ‘f,’ for bass in the lake.” In hacking, “I Phish, with a ‘ph,’ for login credentials from key employees at my target’s organization.

Thanks for joining us again for another episode of fun project brought to you by the team of Hacking Humans, the CyberWire's social engineering podcast. Hacking Humans co-host Dave Bittner is joined by Rick Howard in this series where they view clips from their favorite movies and television shows with examples of the social engineering scams and schemes you hear Dave and co-host Joe Carrigan talk about on Hacking Humans. In this episode, Dave and Rick watch each of the selected scenes, describe the on-screen action for you, and then they deconstruct what they saw. Grab your bowl of popcorn and join us for some fantastic scams and frauds. Links to this episode's clips if you'd like to watch along: Dave's clip from the movie: HEARTBREAKERS Rick's clip from the movie: Star Trek: The Wrath of Khan Dave's Second clip: Russian Restaurant Dave's Third clip: Funny scene 3

Raj Ananthanpillai from Trua joins Dave to discuss privacy concerns and what you shouldn't share with ChatGPT. Dave and Joe share some listener follow up from Clayton who shares some comments on a previous episode where Dave discusses bomb threats to retail stores for ransom. Dave's story follows Google rapidly trying to correct bogus airline phone numbers that were discovered this week. Joe's story is on an Android app called "Spyhide" which is a phone surveillance app, that has been collecting private phone data from tens of thousands of Android devices around the world. Our catch of the day is from listener Isak who writes in to share a comedic spam email he received. Links to stories: Called a bogus airline customer support number? Google is hustling to fix that Spyhide stalkerware is spying on tens of thousands of phones Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

On-demand pay-as-you-go Internet delivered compute, storage, infrastructure, and security services that are partially managed by the cloud provider and partially managed by the customer.

A cloud based sensitive information management system that allows users access across multiple devices. CyberWire Glossary link: https://thecyberwire.com/glossary/icloud-keychain Audio reference link: Ellen’s Tips For iOS, 2022. How To Master iCloud Keychain to Keep Your Passwords Safe and Secure [Video]. YouTube. https://www.youtube.com/watch?v=Tl3E29iUvgE 

Perry Carpenter joins Dave to discuss his book "The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer." Joe and Dave share some listener follow up on messing with scammers, and how dangerous that actually can be. Joe's story follows hackers trying to steal your secrets using infected USB drives. Dave's story is on a tech executive and how they fell victim to a dating site scam, where the perpetrator was able to gain $450,000 from someone who just thought they found their soulmate. Our catch of the day this week comes from listener Ryan, who writes in sharing a renew license scam from New Zealand, with a carefully crafted email, made to look like the real thing. Links to stories: Tech Executive Falls Victim to $450K Scam on Dating Site: The Cruel 'Pig-Butchering' Scheme Going Around The Spies Who Loved You: Infected USB Drives to Steal Secrets Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

A subset of the internet where communications between two parties or client-server transactions are obscured from search engines and surveillance systems by layers of encryption. The U.S. Navy designed the original Darknet by developing The Onion Router network, or TOR, back in the 1990s. Roger Dingledine and Nick Mathewson deployed the first alpha implementation in 2002 with some initial funding by the Electronic Frontier Foundation (EFF.) The TOR Project became a non-profit in 2006 and is funded by the U.S, Sweden, different NGOs, and individual sponsors.

Mallory Sofastaii, consumer investigative reporter from WMAR TV, is discussing animal rescue organizations on Facebook pages being taken over by hackers. Listener George writes in to share how his bank is not doing enough to protect against fraud going on. Dave's story follows scammers using new tricks, across the nation, to receive bitcoin and gift cards after threatening stores with bomb scares. Joe has the story on Chinese hackers that have targeted the Commerce Secretary Gina Raimondo and other State and Commerce Department officials. Our catch of the day comes from listener Steve who shares a fishy looking email stating that he is going to be the beneficiary to "Thirty Nine Nine million, eight hundred thousand dollars." Links to stories: Scammers Target Stores With Bomb Threats, Seeking Bitcoin and Gift Cards Chinese Hackers Targeted Commerce Secretary and Other U.S. Officials Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

1. A wireless access point installed by employees in an office or data center environment as a convenience to connectivity without the consent or the knowledge of the network manager. 2. A wireless access point, sometimes called an Evil Twin, installed by a cyber adversary in or near an office or data center environment designed to bypass security controls, gain access, and/or surveil the network traffic of the victim’s network. Both kinds, the employee installed and the adversary installed rogue access points, increase the attack surface of the organization. The employee installed device, because of its electronic footprint range, might make it easier for hackers and mischief makers outside of the organization’s network to bypass the corporate security controls and gain access without permission. The adversary installed device is designed specifically to bypass the security controls of the target network.

Guest Jane Lee, Trust and Safety Architect from Sift joins Dave to discuss the rise of fraudulent online content and fake crypto platforms. Dave and Joe share some listener follow up regarding the debate over "mum" versus "mom" and who speaks which pronunciation more. Dave has two stories this week, one story follows a Twitter thread about a man who shared his story about selling a desk on Facebook and the dangers that come with that. His second story is about how hackers are using a clever new phishing technique to create email threads with multiple responses to trick potential victims into thinking bogus messages are legitimate. Joe shares the story of hackers new way to get information positioning themselves in the middle of your browser between the server and your computer. Our catch of the day has a little bit of everything from Peter who writes in about an email he received pulling out all the stops to get him to give over his information. Links to stories: Twitter thread https://www.cyberscoop.com/phishing-scheme-targeting-mideast-researchers/ Serious Security: Browser-in-the-browser attacks – watch out for windows that aren’t! Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

A network mapping tool that pings IP addresses looking for a response and can discover host names, open communications ports, operating system names and versions. Written and maintained by Gordon Lyon, a.k.a. Fyodor, it is a free and open source software application used by both system admins and hackers alike and has been a staple in the security community for well over two decades. CyberWire Glossary link: https://thecyberwire.com/glossary/nmap

Our UK correspondent Carole Theriault is talking with London insurance market CISO Thom Langford about insider threats. Joe and Dave share some listener follow up from Waldo who writes in to share a video explaining how bad guys are able to hack users. Joe shares a report from Verizon, one of the industries leading phone companies, about social engineering. Dave's story follows a gentleman who was able to steal one million dollars from at least 700 DoorDash drivers, and now police are warning against this sophisticated phishing scam. Our catch of the day comes from listener Ami who writes in to share her victory in catching a scammer after receiving a weird voicemail from a so called police officer. Links to stories: 2023 Data Breach Investigations Report A Stamford man allegedly stole $1M from 700 DoorDash drivers. Police say his victims are hard to ID. Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

A cyber threat intelligence analysis model that defines relationship pairs between four core components in the shape of a diamond of adversary playbook activity across the intrusion kill chain: the adversary, their capability, the infrastructure used or attacked, and the victim. CyberWire Glossary link: https://thecyberwire.com/glossary/diamond-model Audio reference link: “Diamond Presentation v2 0: Diamond Model for Intrusion Analysis – Applied to Star Wars’ Battles,” Andy Pendergrast and Wade Baker, ThreatConnect, YouTube, 4 February 2020.

Guest Sean Gallagher, Principal Researcher with Sophos Xops team, joins us to discuss "'FleeceGPT' mobile apps target AI-curious to rake in cash. Joe shares some listener feedback from Jon about "No Stupid Questions" podcast. Dave's story is from Reddit about a free piano scam. Joe's got a story on a woman pleading with her bank to stop a fake wire transfer, but they were too busy. Our Catch of the Day comes from Rob about a fake student loan help ticket. Links to stories: “FleeceGPT” mobile apps target AI-curious to rake in cash Just ran into the most sophisticated "free piano" scam I've ever seen Wells Fargo bankers tell East Bay customer they're too busy to stop wire scam Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

This week, Maria Varmazis host of the N2K daily space show, T-Minus, joins Dave and Joe, as they celebrate Maria joining the Hacking Humans podcast every week! Maria's story is from a listener this week who writes in with a story on an IT company that is a third party for a healthcare company, and the dangers that can come from that. Dave and Joe share some listener follow up from Michael, who shares some thoughts on AI. Dave's story follows how a recent study found that 40% of elderly adults in the UK regularly face phone-based fraud attempts, with significant impacts on their mental health and quality of life. Joe follows a Scottsdale couple, Alexandra Gehrke and Jeffrey King, and how they have been indicted for a $900 million fraud scheme targeting hospice patients, receiving $330 million in illegal kickbacks used to purchase luxury items. Our catch of the day comes from listener Jim who writes in with a letter about a concerned beneficiary who received a letter from the FBI about their overdue inheritance with the National Bank of Belgium. The message confirmed the legitimacy of their claim but warned of potential scams by individuals impersonating bank officials. Please take a moment to fill out an audience survey! Let us know how we are doing! Links to the stories: Two-Fifths of Senior Citizens Suffer Frequent Fraud Attempts ‘It’s really disgusting’: Scottsdale couple accused of $900 million fraud scheme targeting hospice patients, according to DOJ You can hear more from the T-Minus space daily show here. Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com.

A US Department of Homeland Security agency tasked with supporting cyber and physical security for US critical infrastructure. CyberWire Glossary link: https://thecyberwire.com/glossary/cybersecurity-and-infrastructure-security-agency Audio reference link: CISA, 2021. CISA Director Jen Easterly’s Keynote at Black Hat USA 2021 [Video]. YouTube. URL https://www.youtube.com/watch?v=q7bu-L-m4K4.

Unsolicited, unwanted, and sometimes malicious electronic messages indiscriminately transmitted to a large number of people. CyberWire Glossary link: https://thecyberwire.com/glossary/spam Audio reference link: zumpzump, 2007. Monty Python - Spam [Video]. YouTube. URL https://www.youtube.com/watch?v=anwy2MPT5RE.

Toby Pischl, Head of Information & Email Security at Broadcom, sits down with Dave to discuss how Slack and Microsoft Teams phishing is an open door into businesses. Joe and Dave share some follow up regarding a case of a woman claiming to have cancer to receive over $37,000 from donors on GoFundMe. Joe has the terrible story out of Michigan where a high schooler committed suicide after a sextortion scam. Dave has a story on job seekers around the country and how likely they are to fall for a job scam. Our catch of the day comes from listener Albert, who writes in regarding the German phishing emails he keeps receiving. Links to stories: Madison Russo pleads guilty to theft in cancer scheme High school football player Jordan DeMay driven to suicide after Nigerian sextortion scam, anguished family reveals Michigan family sounds alarm on son's 'sextortion' suicide after arrests of 3 Nigerian men Three Nigerian Men Awaiting Extradition For Committing Sexual Extortion 1 in 3 Recent Job Seekers Have Been Tricked Into Applying for a Fake Job Scam Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

A US Department of Homeland Security agency tasked with supporting cyber and physical security for US critical infrastructure. CyberWire Glossary link: https://thecyberwire.com/glossary/cybersecurity-and-infrastructure-security-agency Audio reference link: CISA, 2021. CISA Director Jen Easterly’s Keynote at Black Hat USA 2021 [Video]. YouTube. URL https://www.youtube.com/watch?v=q7bu-L-m4K4.

This week, Jeremy Fuchs from Avanan joins Dave to discuss how hackers are using replier attacks. Replier attacks are attacks in which hackers change the reply-to address to send emails from what appears to be a reputable company, when in reality it's a spoofed account. Joe and Dave share some follow up from listeners Wayne who writes in with some comments on episode 245, and listener Michael, who writes about his first ChatGPT experience. Dave's story follows the alarming new trend happening, where sextortionists are making AI nudes from people's social media images. Joe's story uncovers the social engineering trick hackers use from their personal scammers handbook. Our catch of the day comes from listener Tim, who shares a message from a "dear friend." Links to stories: Sextortionists are making AI nudes from your social media images Offbeat Social Engineering Tricks in a Scammer’s Handbook Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

The act of searching through an organization's trash for discarded sensitive material.  CyberWire Glossary link: https://thecyberwire.com/glossary/dumpster-diving Audio reference link: “Better Call Saul jimmy digs in the Sandpiper trash scene,” uploaded by Robert Bowersock, 18 September 2022.

Thanks for joining us again for another episode of fun project brought to you by the team of Hacking Humans, the CyberWire's social engineering podcast. Hacking Humans co-host Dave Bittner is joined by Rick Howard in this series where they view clips from their favorite movies and television shows with examples of the social engineering scams and schemes you hear Dave and co-host Joe Carrigan talk about on Hacking Humans. In this episode, Dave and Rick watch each of the selected scenes, describe the on-screen action for you, and then they deconstruct what they saw. Grab your bowl of popcorn and join us for some fantastic scams and frauds. Links to this episode's clips if you'd like to watch along: Dave's clip from the movie: Ocean's 8 Rick's clip from the movie: Avengers Endgame

This week, our CyberWire UK Correspondent Carole Theriault is talking with Paul Ducklin from Sophos about where ChatGPT could be going in the future. Joe and Dave share quite a bit of follow up from listeners, discussing several people writing in about dating apps and the men who use them, along with a question from listener Bryan who asks about an email scheme an intern working for his company received. Joe's story hones in on AI, discussing in particular how artificial intelligence is changing the social engineering game forever. Dave has the story on how hackers hide malicious links within pictures to redirect users to phishing sites. Our catch of the day comes from listener Cyrus, who shares an email they received about benefits with a hilarious twist. Links to stories: How AI Is Changing Social Engineering Forever The Picture in Picture Attack Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

The manipulation of search engine optimization, SEO, to promote malicious sites in search engine results. CyberWire Glossary link: https://thecyberwire.com/glossary/search-engine-optimization-poisoning Audio reference link: Brown, B.E., 2021. The Ending Of The Waldo Moment Explained [Video]. YouTube. URL https://www.youtube.com/watch?v=HsWja44-EMg.

Bala Kumar of Jumio joins to discuss how travel companies can combat the exponential rise in fraud and ensure their traveler is who they say they are. Dave and Joe share some listener follow up, with the first from Matt, who writes in with a strange Dick's Sporting Goods story about gift cards and credit cards. Our second follow up comes from listener King, who writes in regarding the QR discussion in episode 243. Dave's story follows how almost every US state has sued a telecom company after being accused of routing billions of illegal robocalls to millions of US residents on the do not call list. Joe's story is about a family losing $730,000 in a wire fraud scam, but with a twist ending. Our catch of the day comes from listener William, who writes in with an email laced with so much fraud, Gmail didn't even want Joe to open it to read it for this episode. Links to stories: 48 states sue phone company that allegedly catered to needs of robocallers Family loses $730K in wire fraud scam — and gets it all back Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

An acronym for Advanced Persistent Threat to describe hacker groups or campaigns normally, but not always, associated with nation state cyber espionage and continuous low-level cyber conflict operations.

A passwordless authentication protocol based on the FIDO2 standard. CyberWire Glossary link: https://thecyberwire.com/glossary/passkey Audio reference link: Summers, J., 2023. Google Passkeys Have Arrived (here’s how to use them) [All Things Secured Channel]. YouTube. URL https://www.youtube.com/watch?v=oFO7JgUx-bU.

The practice of crafting a fake online persona for malicious purposes. CyberWire Glossary link: https://thecyberwire.com/glossary/catfish Audio reference link: netbunny, 2013. Catfish - The Movie - Ending Scene [Movie Scene]. YouTube. URL https://www.youtube.com/watch?v=qR_NIN6zy0U

Nick Percoco from Kraken sits down to discuss the human factor of crypto scams, including going over common red flags and what to do when a third party is exerting pressure that taps into a human emotions. Listener Sean writes in with some follow up to discuss the increase in AI scams and if people would be more likely to talk about falling for these scams as AI becomes better and better. An anonymous listener also reached out with some follow up regarding there experience with corporate ID theft. Joe's story follows the report on "dark patterns," and what they are. Dave's story is on people who got hired as customer service reps, but instead helped lure in lonely and lovestruck through a network of dating and hookup sites. Our catch of the day comes from listener Gareth who shares his catch of a phishing scheme from the "NSA." Links to stories: Guide to Dark Patterns – Terms and examples from the CCPA and the CPA Bringing Dark Patterns to Light This Is Catfishing on an Industrial Scale Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.